Maintaining virus detection software

ABSTRACT

A method of managing a virus signature database associated with an anti-virus application, both of which are resident in a memory of a mobile wireless device  2,4.  Management messages containing for example new virus signatures are sent from the network  1  to the device  2,4.  In accordance with instructions contained in the management messages, individual signature entries of the virus signature database are deleted or replaced, and new signatures added.

The present invention relates to maintaining virus detection softwareand in particular, though not necessarily, to maintaining virusdetection software for use with mobile wireless devices.

The last decade has seen a rapid growth in the number and use of mobilecellular telephones. More recently, wireless devices known as“communicators” have been introduced and combine the functionality ofmobile telephones and Personal Digital Assistants (PDAs). It is expectedthat this area will undergo massive growth in the near future as newcellular telecommunication standards (e.g. GPRS, UMTS, WAP) makepossible the high speed transfer of data across the wireless interface.

The next generation of mobile telephones are likely to resemble amini-computer rather than a telephone per se. Also, whilst to datecellular telephones have been very much manufacturer specific in termsof both hardware and software, future wireless devices are likely to bebuilt on a much more open platform. This will allow the introductioninto the devices of third party applications and will further fuelgrowth in much the same way as Microsoft Windows™ has done for personalcomputers.

It can be expected that the opening up of mobile wireless platforms willmake such platforms susceptible to attack from so-called “malware” suchas viruses, Trojan horses, and worms (referred to collectivelyhereinafter as “viruses”) in much the same way as the openness ofpresent day PCs and workstations makes them susceptible to malwareattack. A number of mobile telephone viruses have recently beenidentified in the wild. In order to resist virus attacks, anti-virussoftware will be deployed into mobile platforms in much the same way asit has been deployed in the desktop environment.

A number of different desktop anti-virus applications are currentlyavailable. The majority of these applications rely upon a basic scanningengine which searches suspect files for the presence of predeterminedvirus signatures. These signatures are held in a database which must beconstantly updated to reflect the most recently identified viruses.Typically, users download replacement databases every so often, eitherover the Internet, from a received e-mail, or from a CDROM or floppydisc. Users are also expected to update there software engines every sooften in order to take advantage of new virus detection techniques (e.g.which may be required when a wholly new strain of virus is detected).

Mobile wireless platforms present a series of problems for softwaredevelopers (including developers of anti-virus software). Chief amongthese are the limited memory and processing power of mobile platforms,and the limited input/output capabilities which they possess (i.e. noCDROM of floppy drive, and no high bandwidth fixed line network orInternet connectivity).

According to a first aspect of the present invention there is provided amethod of managing a virus signature database associated with ananti-virus application, both of which are resident in a memory of acomputer device, the method comprising adding, deleting, and replacingindividual signature entries of the virus signature database to maintainthe effectiveness of the database.

The present invention is applicable in particular to mobile wirelessplatforms and devices such as mobile telephones, communicators, andpalmtop and laptop computers with wireless interfaces. The invention isalso applicable to other computer devices such as PCs, workstations,etc.

The inventors of the present invention have recognised that it will bedifficult (and potentially expensive) to download an entire virussignature database to a mobile wireless device each time that an updateto the database is required. By allowing the management of individualsignature entries of the database, the updating process becomesincremental and is greatly simplified in many respects. For example, inorder to update the database when a new virus is detected (and asignature generated for that virus), it is only necessary to downloadthat signature and add it to the database (processing requirements arealso reduced).

Preferably, the method comprises receiving management messages over thewireless interface, the management messages containing respectiveinstructions, e.g. add, delete, or replace a virus signature. In thecase of an add or replace signature instruction, the message may beaccompanied by a new signature (where the new signature is contained inthe management message or in a separate message). Management messagesmay be pushed to users, i.e. the messages are sent without a requestfrom users, or pulled by users, i.e. messages are sent following thereceipt of a request from users.

Preferably, management messages are accompanied by respective sequencenumbers. The anti-virus application, or a management agent, resident inthe memory of the wireless device uses the sequence number of a receivedmanagement message to determine whether or not one or more precedingmanagement messages have not been received. If it is determined that amanagement message has not been received, the application or agent mayrequest that message via the wireless interface. The sequence number maybe device or subscriber specific.

Virus signatures may be relevant to specific mobile wireless devices andto specific software. As such, management messages may be filteredeither at the origin side of the wireless interface, prior totransmission over the wireless interface, or following receipt at amobile device, to allow only messages relevant to a particular device(or software installed on that device) to be sent to that device or tobe acted upon at the device.

Preferably, said mobile wireless device is a cellular communicationdevice having an interface for allowing the device to communicate with acellular telecommunications network. For example, the network may be aGSM network or a UMTS (3GPP) network. Management messages sent to thedevice may originate in the network or at a third party site in whichcase the network provides a transit network.

It will be appreciated that the anti-virus application may be astand-alone application or may be embedded in some other application.

According to a second aspect of the present invention there is provideda computer device having a memory and an anti-virus software applicationresident in the memory, the memory also containing an anti-virussignature database accessible in use by the anti-virus application, theapparatus comprising processing means for adding, deleting, and/orreplacing individual signature entries of the virus signature database.

Preferably, the computer device is a mobile wireless device.

According to a third aspect of the present invention there is provided amethod of managing a virus signature database associated with ananti-virus application, both of which are resident in a memory of amobile wireless device, the method comprising receiving managementmessages, relating to database or anti-virus application changes, at thedevice, the management messages being filtered either at the origin sideof the wireless interface or at the mobile device to pass only messagesrelevant to the recipient device.

In certain embodiments of the above third aspect of the presentinvention, the filter at the mobile device or at the origin side of thewireless interface has a knowledge of the properties of the mobiledevice (e.g. make, model) and/or of the software applications residenton the mobile device. Where the filter exists at the origin side of thewireless interface, this information may be sent to the filter from themobile device. Management messages may contain the identity of mobiledevices and/or applications to which they are relevant, such that thefilter may compare the applicability of messages to theproperties/resident software of destination mobile devices.

According to a fourth aspect of the present invention, there is provideda method of scanning information for the presence of a virus, the methodcomprising extracting predetermined virus signatures from a virussignature database and sequentially searching for the presence ofsignatures in the information, wherein the database contains for each ofone or more viruses a plurality of signatures, and indicating thepresence or absence of each of said one or more viruses based on acombination of the results of the plurality of searches.

For a better understanding of the present invention and in order to showhow the same may be carried into effect reference will now be made byway of example to the accompanying drawings in which:

FIG. 1 illustrates schematically a cellular telecommunications networksuitable for distributing anti-virus software and database updates;

FIG. 2 illustrates the software architecture of a mobile wirelessdevice; and

FIG. 3 is a flow diagram illustrating a method of updating anti-virussoftware and an associated database of the device of FIG. 2 using thenetwork of FIG. 1.

There is illustrated in FIG. 1 a Public Land Mobile Network (PLMN) 1which is the home network of a subscriber using a wireless device 2. Thedevice 2 illustrated is a communicator type device. For the purpose ofthe following discussion, the PLMN 1 is assumed to be a GSM network. Asecond PLMN 3 is illustrated in the Figure, and this PLMN may representa foreign or visited network for a roaming subscriber (using a wirelessdevice 4 comprising a PDA and mobile telephone) whose home network isalso the PLMN 1.

A Management Centre 5 operated by a third party anti-virus softwaremanufacturer/distributor is coupled to the PLMN 1 and comprises aManagement Server 6 and a Management Console 7. The Management Server 6is connected to the communication backbone of the PLMN 1, e.g. to an MSC(not shown in the Figure). Via the Management Console 6, the operator isable to send SMS messages and data to devices such as the devices 2,4,and receive the same from these devices. It is assumed that the users ofthe mobile devices 2,4 have subscribed to a service of the ManagementCentre 5.

The devices 2,4 each have a memory storage means on which resides theoperating system of the device. This may be for example EPOC or WindowsCE™. A number of application programs are pre-loaded by the manufactureror by the device supplier into the memory. These applications maycomprise a phone application (used for making and controlling phonecalls), a contacts database, and a word processor. The memory alsocontains an anti-virus application which may be a standaloneapplication, part of a suite of security applications, or may beintegrated into some other application. FIG. 2 illustrates a part of thesoftware architecture of a mobile device 2,4.

The core of the anti-virus application is a virus scanning engine 8which may resemble for example the scanning engine of the F-SecureAnti-Virus™ product family of F-Secure Oyj (Espoo, Finland). Associatedwith the scanning engine 8 is a virus signature database 9 whichcontains a sequence of virus signatures. The basic database structure iscreated when the anti-virus application is installed into the device2,4. At the same time, the database 9 is populated with known virussignatures. In order to reduce the memory space occupied by the database9, the virus signatures may be relatively short compared to the lengthof conventional anti-virus signatures. However, for certain viruses,this shortening of the virus signature may lead to a significant loss inthe certainty with which viruses may be detected (and to an increase infalse alarms). To overcome this problem, for certain viruses a pluralityof signatures may be inserted into the database 9. These signatures maybe linked or “chained” together, such that a virus warning is onlygenerated if all (or possibly a subset of) signatures are identified ina scanned file. Multiple signatures may also be used to generate adetection confidence estimate.

Also installed into the device's memory is a management agent 10. Themanagement agent 10 is responsible for maintaining the database 9 andthe anti-virus software 8 in response to management messages receivedfrom the Management Centre 5 over the wireless interface. The managementmessages may be sent using any suitable bearer such as a circuitswitched or packet switched data connection (e.g. during a WAP session),or the Short Message Service (SMS) in GSM networks. The management agent10 can access individual records of the virus signature database 9 toeither enter new signatures into blank records, delete currentsignatures, or replace an existing signature. The management agent isalso able to execute software patches in order to update the anti-virusscanning engine 8.

A management message sent from the Management Centre 5 to a mobiledevice 2,4 typically comprises a header portion which contains asubscriber specific sequence number, and a flag indicating whether themanagement message relates to a software or database update. In the caseof a database update, the header ball also include a database entrynumber, and an instruction. Each time a new message is sent from theManagement Centre 5 to a device, the sequence number is incrementedby 1. In order to ensure that messages can be authenticated by areceiving device, messages are cryptographically signed at theManagement Centre 5.

Following receipt of a management message at a mobile device 2,4, themessage is passed to the management agent 10 where the cryptographicsignature is checked. Assuming that the message is indeed authenticated,the management agent first compares the sequence number contained in theheader with the sequence number of the last received message. In theevent that the sequence number of the new message is the next expectedsequence number, the updating procedure can proceed as described below.In the event that the sequence number of the new message is not the nextexpected sequence number, an error report is generated. This causes themanagement agent 10 to identify the missing updates and to request these(in order) from the Management Centre 5.

In the event that the sequence number of a received message is asexpected, the management agent 10 determines whether or not the messagerelates to a software or database update. In the former case, the agentcauses the update to be executed, automatically updating the softwareusing an executable file contained in the payload of the message. In thelatter case, the management agent 10 examines the database entry numberand the instruction of the message header. The database entry numberidentifies a position in the database 9 which is to be operated upon,and the instruction identifies an operation such as ADD_NEW_SIGNATURE,DELETE_EXISTING_SIGNATURE, or REPLACE_EXISTING_SIGNATURE. The messagemay contain a payload section for carrying data. For example, this datacould be a new or replacement virus signature.

At the Management Centre 5, new virus signatures will be created as andwhen new viruses are detected. This will cause management messagescontaining the ADD_NEW_SIGNATURE instruction to be sent to subscribers.In some cases, an improved signature for a known virus may be generated,in which case a management messages containing theREPLACE_EXISTING_SIGNATURE instruction is sent to subscribers.Occasionally, a virus signature sent previously to subscribers may laterbe found to be ineffective, or may be found to generate false alarms, inwhich case a management message containing the DELETE_EXISTING_SIGNATUREinstruction is sent to subscribers.

An update filter 11 is located at the Management Server 6 of theManagement Centre 5. All management messages pass through this filter11. The filter 11 contains a subscriber database, and for eachsubscriber records the manufacturer and model number of their mobiledevices. The database may also record details of applications installedin subscriber devices. This information may be collected during thesubscriber registration process, or may be collected dynamically.Management messages contain in their headers, or are accompanied by,information identifying the devices and/or applications to which theyare applicable. This information allows the filters to direct messagesonly to those devices to which the messages are appropriate. Thisachieves a significant reduction in the use of the wireless interfaceresources, as well as a reduction in the processing requirements placedon the mobile devices. The sequence number is added to the header of amanagement message only after the message has passed through the filter.This ensures that the sequence number is device specific.

FIG. 3 is a flow diagram further illustrating a method of updatinganti-virus software and signature databases using the network of FIG. 1.

It will be appreciated by the person of skill in the art that variousmodifications may be made to the above described embodiment withoutdeparting from the scope of the present invention. Systems may bedesigned in which software or database updates are automatically sent tomobile devices (i.e. updates are pushed to mobile devices), or where theupdates are sent following a requests from mobile devices (i.e. updatesare pulled to mobile devices). In another modification to the describedembodiment, the filter present at the Management Centre 5 may beinformed of the properties of a destination mobile device during acommunication session, e.g. based on the http headers sent from abrowser of a device during a WAP session. In yet another modification tothe described embodiment, a management message may relate to a pluralityof virus database entries. For example, the message may identify twodatabase records with the payload containing two respective newsignatures. In yet another modification to the described embodiment, themanagement message may comprise a sequence of packets which areconcatenated upon reception at the mobile device. In yet anothermodification to the described embodiment, the management message mayidentity an address (e.g. a WAP or WWW URL) from where a new signaturemay be downloaded. There is thus no need to include the signature in themessage itself.

1. A method of managing a virus signature database associated with ananti-virus application, both of which are resident in a memory of amobile wireless computer device, the method comprising: receivingmanagement messages over the wireless interface, the management messagescontaining respective add, delete, or replace virus signatureinstructions for adding, deleting and replacing individual signatureentries of the virus signature database to maintain the effectiveness ofthe database; wherein the method further comprises filtering themanagement messages either at the origin side of the wireless interface,prior to transmission over the wireless interface, or following receiptat a mobile device, to allow only messages relevant to a particulardevice or software installed on that device to be sent to that device orto be acted upon at the device.
 2. A method according to claim 1,wherein in the case of an add or replace signature instruction, themessage is accompanied by a new signature.
 3. A method according toclaim 1, wherein management messages are accompanied by respectivesequence numbers and the anti-virus application, or a management agent,resident in the memory of the wireless device uses the sequence numberof a received management message to determine whether or not one or morepreceding management messages have not been received.
 4. A methodaccording to claim 3, wherein, if it is determined that a managementmessage has not been received, the application or agent requests thatmessage via the wireless interface.
 5. A method according claim 1,wherein said mobile wireless device is a cellular communication devicehaving an interface for allowing the device to communicate with acellular telecommunications network.
 6. A mobile wireless computerdevice having a memory and an anti-virus software application residentin the memory, the memory also containing an anti-virus signaturedatabase accessible in use by the anti-virus application, the devicecomprising: a receiver for receiving management messages over a wirelessinterface, the management messages containing respective add, delete, orreplace virus signature instructions for adding, deleting and replacingindividual signature entries of the virus signature database to maintainthe effectiveness of the database; filtering means for filtering themanagement messages to allow only messages relevant to the device orsoftware installed on the device to be acted upon at the device; andprocessing means for adding, deleting, or replacing individual signatureentries of the virus signature database.
 7. A method of managing a virussignature database associated with an anti-virus application, both ofwhich are resident in a memory of a mobile wireless device, the methodcomprising receiving management messages, relating to database oranti-virus application changes, at the device, the management messagesbeing filtered either at the origin side of the wireless interface or atthe mobile device to pass only messages relevant to the recipientdevice.
 8. A method according to claim 7, wherein the filter at themobile device or at the origin side of the wireless interface has aknowledge of the properties of the mobile device or of the softwareapplications resident on the mobile device.
 9. A method according toclaim 7, wherein the filter exists at the origin side of the wirelessinterface, and properties of the mobile device or of the softwareapplications resident on the mobile device are sent to the filter fromthe mobile device.
 10. A method according to claim 7, wherein themanagement messages contain the identity of mobile devices orapplications to which they are relevant, such that the filter maycompare the applicability of messages to the properties/residentsoftware of destination mobile devices.
 11. A method of scanninginformation for the presence of a virus, the method comprisingextracting predetermined virus signatures from a virus signaturedatabase and sequentially searching for the presence of signatures inthe information, wherein the database contains for each of one or moreviruses a plurality of signatures, and indicating the presence orabsence of each of said one or more viruses based on a combination ofthe results of the plurality of searches.